Operations
3/17/2016
10:45 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Beyond Back Doors: Recalibrating The Encryption Policy Debate

Three compelling reasons why access to back doors should not be the intelligence and law enforcement community's main policy thrust in the fight against terrorism.

A strange confluence of events has brought encryption to the center of public policy debate in spite of the heated presidential election cycle and other geopolitical current events. Terrorism, Edward Snowden’s NSA leaks, and a constant stream of high-profile breaches that have put citizens’ private data at risk have elevated the discussion that previously existed solely in technical circles. Recent calls by the United States government to gain access to backdoors on  software and sites in order to intercept terrorist communications has increased the emotional volume of the debate, pitting the Administration, intelligence community, and law enforcement against technology companies and privacy advocates.

When focusing on the upside that backdoors provide, government leaders have downplayed the damage to US technology leadership in the world and the economic impact to US technology companies. At the same time, many US technology companies view themselves “above the fray” with international markets key to their businesses. In spite of being US-based companies, they feel that close alignment with the American government puts them at an economic disadvantage. 

This is occurring in what many observers characterize as a policy vacuum surrounding the encryption debate - a victim perhaps of other political issues facing our elected officials. Post-Snowden, Congress has yet to provide clarity to its citizens on the security vs. privacy debate, leaving the Executive Branch unchecked in matters of cybersecurity. In practice, the White House has pushed the policy envelope with regard to citizen privacy. Its engagement with technology companies at the end of 2015 is one example of its attempt to do the right thing, using perceived leverage from heavyweight solutions like backdoors to gain the attention of Silicon Valley.

There is sore need to recalibrate here. I say this from a unique perspective as I come from the intelligence world. But my most recent experiences are with cybersecurity companies that protect United States companies from sophisticated attacks emanating from every corner of the world. I am neither a privacy activist nor corporate executive with vested interests outside the US. I understand that the world is full of bad people who want to do horrible things to our country. Terrorism is a real threat, and the United States needs to maintain its vigilance against future attacks. However, it is imperative that we do so with the understanding of the full set of consequences, both intentended and not.

To put it bluntly, access to backdoors (through escrowed encryption keys or any other technical mechanism) is simply not a viable strategy in the fight against terrorism and should not be our main policy thrust. As tempting as it may be to seak out an “easy” button for this problem, we need more deliberation and more creative options. There are three compelling reasons that we need to eschew backdoors when fighting terrorism:

Reason 1: Providing backdoors to governments – any government – is a bad idea. Engineering students learn early on to avoid single points of failure in their designs. A backdoor provides the most elevated access to any system or software, and can provide that same access to unintended parties, including attackers. Two axioms hold true when dealing with designed backdoors. First, common entry points always get discovered. Once available on the public Internet, systems will be subjected to the constant onslaught from all manner of attackers, including nation-states. Second, the security of systems degrades over time. Once they exist, backdoors will be used, and inevitably someone will make a mistake leading to the (potentially unknown) use of backdoor access by others. This argument doomed the Clipper Chip in the 90’s and highlights the current worry abour the recent Juniper router backdoor disclosure.

Furthermore, what’s to stop other countries from demanding access to these same backdoors? Virtually all the discourse to this point has been in the context of the US government accessing US companies, but imagine the Chinese or Russian government demanding access to the backdoors of Google, Apple, and Facebook as a precondition of these companies selling in their markets? The idea is not far-fetched: in fact, China’s New Network Law is already blurring the line between competition and national security.

Reason 2: Governments have struggled to protect their own data – why give them the keys to all kingdoms? The US Governement currently has a large “trust” problem with its citizens. If we citizens are doubtful that the government can protect its own secrets, why should we entrust them with backdoor access to all of our secrets too? The 21.5 million government workers whose highly sensitive, and damaging, data was lost by OPM are sufficient proof of a crisis in confidence. Even more disconcerting is NSA’s data loss via Snowden. Imagine that rather than publishing gigabytes of NSA memos and presentations, Snowden revealed the private information, collected by NSA, on the Internet. This crisis of confidence in governments is most pronounced in adults below thirty years-old. Any further concentration of government power to access information via backdoors would exacerbate the situation.

Reason 3: Don’t kill the technology goose that lays the golden egg.  US technology product and cloud companies are the economic engine that fills US Treasury coffers. By mandating backdoor access, the US government would put US technology companies at a severe competitive disadvantage, which ultimately weakens their worldwide position of leadership and damages our economy in ways we will never be able to fully quantify. Already, suspicion exists with many international technology buyers. For example, many US companies selling overseas are asked by their prospects to fill out questionnaires that detail how they cooperate with American law enforcement and intelligence agencies. Suffice it to say, it’s doubtful non-US-based companies face the same scrutiny. Eventually, the market will provide more viable alternatives to existing US-based hosting and technology products, but until then much damage can be done.

Backdoors and their many different iterations are not a long-term or viable policy option to fight terrorism. Their intended and unintended consequences far outweigh their benefits. The sooner we move away from any discussion of this approach, the better we will be served. No doubt, we need more creative options from our intelligence and law enforcement community. It’s the implementation of encryption, at either end of the conversation, where opportunities exist for exploitation. This, and other examples, is where our government should focus its efforts – not on the (seemingly) “easy” button. 

Related Content: 

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.